Starting with PT ISIM 4.1, the mechanism for getting expertise from the cloud has been updated
PT Industrial Security Incident Manager (PT ISIM), a hardware and software suite for deep analysis of traffic, expands its feature set. Users of PT ISIM 4.1 and later connected to the Positive Technologies update cloud1 can now download not only indicators of compromise for industrial threats, but also analysis of ICS protocols.
"Today, new threats and trending vulnerabilities are appearing all the time, so it’s vital to update product expertise between transitions to new releases," says Ilya Kosynkin, Head of Product Development, PT ISIM. "Before, PT ISIM could receive updates of detection rules and indicators of compromise for ICS, and now we added analysis of protocols without deployment2 or manual configuration. Connecting PT ISIM to PT ISTI (PT Industrial Security Threat Indicators3) database servers allows quick, seamless, and automatic updating of detection rules for current threats, as well as expanding the set of supported protocols."
The PT ISIM expertise package includes new mechanisms for detecting threats in Siemens, Hirschmann, Yokogawa, and Rockwell Automation equipment, and for detecting attacks in Windows. For Hirschmann devices, for example, there is now support for the HiDiscovery protocol, detecting network scanning and attempts to change the network settings. In addition, support for certain features of the Siemens SIMATIC S7 protocol related to debug modes and program logic loading has been expanded.
Positive Technologies Expert Security Center (PT ESC) regularly investigates new threats, including in industrial systems. When new attack methods appear, our experts work closely with the PT ISIM team, which draws up threat detection rules, indicators of compromise, and mechanisms for detailed analysis of protocols. These, in turn, are made available to all users of the product. This way, PT ISIM regularly receives sets of indicators of compromise, which—not in theory, but in practice—deserve the close attention of infosec specialists. For example, in the case of Hirschmann devices, Positive Technologies detected attacks in which the High Discovery utility was used to change the configuration of network equipment. This tactic was added to the new PT ISIM expertise package.
The PT ISIM threat detection mechanisms were also upgraded, allowing:
- Detection of Windows services remote control using standard Microsoft operating system tools (for example, MS-SCMR, also known as SVCCTL4)
- Detection of the malicious tool Bvp475
- Detection of attempts to exploit the vulnerabilities CVE-2014-0781 (Yokogawa CENTUM CS 3000) and CVE-2020-12029 (Rockwell Automation FactoryTalk View SE)
The update is compatible with PT ISIM versions 4.1 and 4.2. The latest builds of PT ISIM 4.2 come with the new expertise package already installed. The package can be installed either over the network when connected to the PT ISIM cloud server, or locally.
Because PT ISIM is part of the comprehensive PT Industrial Cybersecurity Suite (PT ICS) for cyberthreat detection and incident response, PT ICS users also receive these and other PT ISIM-related expertise packs and updates.
- Each PT ISIM Overview Center allows you to centrally update all View Sensor nodes below it (including ones connected through other Overview Center nodes). For update packages to appear automatically in PT ISIM Overview Center, you need to connect the component to the update server by means of a special key supplied with the product.
- Deployment of the web service in the working environment.
- The PT ISTI database, which contains 4,000 signatures and rules for detecting attacks on ABB, Emerson, Hirschmann, Schneider Electric, Siemens, Yokogawa, and other equipment.
- Service Control Manager Remote Protocol.
- A backdoor named Bvp47 for numerous references to the string Bvp and numerical value 0×47 in the encryption algorithm. It was detected in Linux systems as early as 2013.